provable entanglement and information cost for qubit-based quantum key-distribution protocols

arX

iv:q

uant

-ph/

0511

218v

1 2

2 N

ov 2

005

EPJ manuscript No.(will be inserted by the editor)

Provable entanglement and information cost for qubit-basedquantum key-distribution protocols

Georgios M. Nikolopoulos, Aeysha Khalique and Gernot Alber

Institut fur Angewandte Physik, Technische Universitat Darmstadt, 64289 Darmstadt, Germany

Received: date / Revised version: February 1, 2008

Abstract. Provable entanglement has been shown to be a necessary precondition for unconditionally securekey generation in the context of quantum cryptographic protocols. We estimate the maximal thresholddisturbance up to which the two legitimate users can prove the presence of quantum correlations in theirdata, in the context of the four- and six-state quantum key-distribution protocols, under the assumption ofcoherent attacks. Moreover, we investigate the conditions under which an eavesdropper can saturate thesebounds, by means of incoherent and two-qubit coherent attacks. A direct connection between entanglementdistillation and classical advantage distillation is also presented.

PACS. 03.67.Dd Quantum Cryptography – 03.67.Hk Quantum Communication

1 Introduction

Quantum key-distribution (QKD) protocols exploit qua-ntum correlations in order to establish a secret key be-tween two legitimate users (Alice and Bob). In a typi-cal quantum cryptographic scheme, after the transmissionstage Alice and Bob must process their raw key, in or-der to end up with identical random keys about which anadversary (Eve) has negligible information. In principle,classical as well as quantum algorithms (distillation pro-tocols) can be used for this post-processing [1,2,3,4,5,6,7,8,9,10]. In any case, it is necessary for Alice and Bob toestimate the error rate in their sifted key, for the purposeof detecting the presence of Eve on the channel.

An important quantity for any QKD protocol is thethreshold disturbance i.e., the maximal disturbance orquantum bit error rate (QBER) which can be toleratedby Alice and Bob for being capable of producing a secretkey. This threshold disturbance quantifies the robustnessof the QKD scheme under consideration against a spe-cific eavesdropping strategy, and depends on the algorithmthat Alice and Bob are using for post-processing their rawkey. Up to date, the robustness of the four-state (BB84)[11] and the six-state [12] QKD protocols has been mainlydiscussed on the basis of the so-called Csiszar-Korner cri-terion [6] and/or incoherent attacks, and various boundshave been obtained [13,14,15,16,17,18,19,20,21]. More-over, it is also known that a necessary precondition forunconditionally secure QKD is that the correlations es-tablished between Alice and Bob during the state distri-bution cannot be explained in the framework of separablestates (provable entanglement) [22,23]. Clearly, the thresh-

Send offprint requests to:

old disturbance up to which this precondition is satisfiedunder the assumption of general coherent (joint) attacks,quantifies the ultimate robustness bound of a particularQKD protocol.

In a recent paper [24], we proved that for QKD pro-tocols using two mutually unbiased bases, this thresholddisturbance for provable entanglement (robustness bound)scales with the dimension d of the information carriers as(d−1)/2d. Thus for the BB84 QKD protocol (d = 2) [11],Alice and Bob always share provable entanglement for es-timated disturbances below 1/4. Extending our studies,in this paper it is shown that the corresponding thresholddisturbance for entanglement distillation in the context ofthe six-state QKD protocol [12] is 1/3.

Our studies show that even the most powerful eaves-dropping attacks are not able to disentangle the two legit-imate users for estimated disturbances below these bor-ders. In other words, Eve is not able to decrease the ro-bustness of the protocols. The natural question arises,however, is whether and at which cost these disentan-glement thresholds can be attained in the framework ofeavesdropping attacks that maximize Eve’s properties (in-formation gain and/or probability of success in guessing).In this paper we address this open question in the contextof incoherent as well as two-qubit coherent attacks. In par-ticular, we present evidence that in the limit of many pairs,coherent attacks might be able to disentangle the two hon-est parties at the lowest threshold disturbance while si-multaneously maximizing Eve’s probability of success inguessing correctly the transmitted signal.

This paper is organized as follows : In Section 2 webriefly describe the prepare-and-measure as well as theassociated entanglement-based versions of the BB84 andthe six-state QKD protocols. The corresponding thresh-

http://arXiv.org/abs/quant-ph/0511218v1

2 G. M. Nikolopoulos et al.: Provable entanglement and information cost for qubit-based QKD protocols

old disturbances for provable entanglement (robustnessbounds) are derived in Section 3, while in Section 4 we in-vestigate the cost at which an eavesdropper can saturatethese bounds. A link between entanglement distillationand classical advantage distillation protocols is discussedin Section 5.

2 Basic facts about BB84 and six-state

protocols

For the sake of completeness, in this section we brieflysummarize basic facts about the two qubit-based QKDprotocols especially in connection with their verification-test stage.

2.1 Prepare-and-measure schemes

In the prepare-and-measure BB84 protocol [11], Alice sendsa sequence of qubits to Bob each of which is randomlyprepared in one of the basis states { |0〉, |1〉} or { |0〉, |1〉}which are eigenstates of two maximally conjugated physi-cal variables, namely the two Pauli spin operators Z andX . The eigenstates of Z, i.e. { |0〉, |1〉}, and of X , i.e.{ |0〉, |1〉}, are related by the Hadamard transformation

H =1√2

(

1 11 −1

)

, (1)

i.e. |i〉 =∑

j Hij |j〉 (i, j ∈ {0, 1}). In the computational

basis { |0〉, |1〉}, the Pauli spin operators are representedby the matrices

X =

(

0 11 0

)

, Y =

(

0 −ii 0

)

, Z =

(

1 00 −1

)

.(2)

Bob measures the received qubits randomly in one of thetwo bases. After the transmission stage, Alice and Bob ap-ply a random permutation of their data and publicly dis-cuss the bases chosen, discarding all the bits where theyhave selected different bases. Subsequently, they randomlyselect a number of the bits from the remaining randomkey (sifted key) and determine their error probability orQBER. If, as a result of a noisy quantum channel or of aneavesdropper, the estimated QBER is too high the pro-tocol is aborted. Otherwise, Alice and Bob perform errorcorrection and privacy amplification with one- or two-wayclassical communication, in order to obtain a smaller num-ber of secret and perfectly correlated random bits [1,2,3,4,5].

The six-state prepare-and-measure scheme is quite sim-ilar to the BB84 (four-state) scheme [12]. More precisely,Alice and Bob use at random three bases namely, the twobases used in the BB84 plus an additional one { |¯0〉, |¯1〉}which corresponds to the Y Pauli operator. In analogy toBB84, the three bases are related (up to a global phase)via the transformation

T =1√2

(

1 −i1 i

)

, (3)

i.e. |i〉 =∑

j Tij |j〉 and |i〉 =∑

j T 2ij |j〉 with i, j ∈ {0, 1}.

2.2 Entanglement-based schemes

It has been shown that, from the point of view of anarbitrarily powerful eavesdropper, each one of these twoprepare-and-measure schemes is equivalent to an entangle-ment-based QKD protocol [25,26,27,28,29,30,31] . Theselatter forms of the protocols offer advantages, in particularwith respect to questions concerning their unconditionalsecurity, and work as follows: Alice prepares each of, say2n, entangled-qubit pairs in a particular Bell state [32], say|Ψ−〉 ≡ 1√

2( |0A1B〉 − |1A0B〉) (where the subscripts A, B

refer to Alice and Bob, respectively). This state is invari-ant under any unitary transformation of the form UA⊗UB.Alice keeps half of each pair and submits the other halfto Bob after having applied a random unitary transforma-tion chosen either from the set {1,H} (two-basis protocol)or from the set {1, T , T 2} (three-basis protocol).

At the end of the transmission stage, Alice announcespublicly the transformations she applied on the transmit-ted qubits and Bob reverses all of them. At this stage,in an ideal scenario Alice and Bob would share 2n pairsin the state |Ψ−〉⊗2n. Due to channel noise and the pres-ence of a possible eavesdropper, however, at the end of thetransmission stage all the 2n entangled-qubit pairs will becorrupted. In fact, they will be entangled among them-selves as well as with Eve’s probe. Thus, the next step forAlice and Bob is to estimate the number of singlets amongthe 2n shared pairs (alternatively to estimate the fractionof pairs which are in error). To this end, they apply averification test which proceeds as follows: Firstly, Aliceand Bob permute randomly all the pairs, distributing thusany influence of the channel noise and the eavesdropperequally among all the pairs [4,27]. Afterwards, they ran-domly select a number (say nc) of the pairs as check pairs,they measure each one of them separately along a com-mon basis and they publicly compare their outcomes. Theinfluence of channel noise or of an eavesdropper is thusquantified by the average estimated QBER of the checkpairs while, assuming that the check pairs constitute afair sample [33], the estimated QBER applies also to theremaining, yet unmeasured, 2n− nc pairs.

After the verification test all the check pairs are dis-missed and, if the QBER is too high the protocol is aborted.Otherwise, Alice and Bob apply an appropriate entan-glement purification protocol (EPP) with classical one-or two-way communication [8,9] on the remaining 2n −nc pairs, in order to distill a smaller number of almostpure entangled-qubit pairs. Finally, measuring these al-most perfectly entangled-qubit pairs in a common basis,Alice and Bob obtain a secret random key, about whichan adversary has negligible information.

2.3 Verification test and confidence level

In closing this introductory part of the paper let us recallsome known basic facts about the verification test whichare necessary for the subsequent discussion. The reasonsfor which such a classical random sampling procedure ap-plies to a quantum scenario have been thoroughly dis-

G. M. Nikolopoulos et al.: Provable entanglement and information cost for qubit-based QKD protocols 3

cussed in the literature [4,26,27,28,29,30,31]. Briefly, thecommuting-observables idea allows us to reduce any quan-tum eavesdropping attack (even a joint one) to a classicalprobabilistic cheating strategy, for which classical proba-bility theory can be safely applied [26,29]. Furthermore,Eve does not know in advance which pairs will be used forquality checks and which pairs will contribute to the fi-nal key. Thus she is not able to treat them differently andthe check pairs constitute a fair [33] classical random sam-ple of all the pairs [4,26,27]. By invoking the verificationtest therefore the two legitimate users can be confidentthat (with high probability) the estimated error rate isalso the error rate they would have measured if they wereable to perform a Bell measurement projecting their pairsonto a 2n-pair Bell basis [26,29,30]. The confidence levelis determined by classical random sampling theory [34].In particular, the conditional probability that the verifi-cation test is passed given that Alice and Bob underesti-mate the error rate in their pairs is exponentially smallin the sample-size nc (i.e, ∼ 2−nc) [26,29]. In other wordsthe probability that Eve cheats successfully can be madearbitrarily small by choosing a sufficiently large sample.

3 Provable entanglement and threshold

disturbances

According to a recent observation, a necessary precon-dition for secret key distillation is that the correlationsestablished between Alice and Bob during the state dis-tribution cannot be explained by a separable state [22,23]. Throughout this work, we consider that Alice andBob focus on the sifted key during the post-processing(i.e., they discard immediately all the polarization data forwhich they have used different bases) and that they treateach pair independently. Thus, according to the aforemen-tioned precondition, given a particular value of the es-timated QBER (observable), the task of Alice and Bobis to infer whether they share provable entanglement ornot. Thereby, entanglement is considered to be provableif Alice’s and Bob’s correlations cannot be explained bya separable state within the framework of the protocols(including post-processing) and observables under consid-eration.

Recently [24], for the same post-processing, we esti-mated the threshold disturbance for provable entangle-ment in the context of two-basis qudit-based QKD pro-tocols under the assumption of joint eavesdropping at-tacks. In particular, we showed that for estimated distur-bances below (d − 1)/2d (where d is the size of the in-formation carriers), Alice and Bob can be confident thatthey share provable entanglement with probability expo-nentially close to one (see Section 2.3). In this section, forthe sake of completeness, we briefly recapitulate the mainsteps of our proof adapted to the BB84 scheme. Subse-quently, along the same lines, we estimate the correspond-ing threshold disturbance for the six-state QKD scheme.For the sake of consistency, we will adopt the entangle-ment-based versions of the protocols. We would like to

stress, however, that the estimated threshold disturbancescharacterize both versions of the protocols.

3.1 BB84 protocol

Given the unitarity and hermiticity of H, the average dis-turbance (average error probability per qubit pair), thatAlice and Bob estimate during the verification test is givenby [4,24,27]

D =1

2nc

∑

b=0,1

nc∑

ji;i=1

TrA,B

{

[

HbAB P Hb

AB

]

ji

ρAB

}

, (4)

with the projector [35]

Pji=

∑

l=0,1

|lA, lB〉〈lA, lB| = |Φ+〉〈Φ+| + |Φ−〉〈Φ−| , (5)

and HbAB ≡ Hb

A ⊗ HbB. The last equality in (5) indicates

that the verification test is nothing more than a quality-check test of the fidelity of the 2n pairs with respect tothe ideal state |Ψ−〉⊗2n [4,26,27,28,29,30,31]. The stateρAB in Eq. (4) denotes the reduced density operator ofAlice and Bob for all 2n pairs while the index ji indi-cates that the corresponding physical observable refers tothe ji-th randomly selected qubit pair. The powers of theHadamard transformations Hb, with b ∈ {0, 1}, reflect thefact that the errors in the sifted key originate from mea-surements in both complementary bases which have beenselected randomly by Alice and Bob with equal probabil-ities.

As we mentioned in Section 2.3 one of the crucial cor-nerstones for the unconditional security of the protocol isthat Eve does not know in advance which pairs will beused for quality checks and which pairs will contributeto the final key. Thus she is not able to treat them dif-ferently and the check pairs constitute a classical ran-dom sample of all the pairs [4,26,27,28]. To ensure sucha homogenization, Alice and Bob permute all of theirpairs randomly before the verification stage. In view ofthis homogenization, the eavesdropping attack (althougha joint one) becomes symmetric on all the pairs [4,27]

i.e., ρ(1)AB = ρ

(2)AB = · · · = ρ

(2n)AB . Here, the reduced den-

sity operator of Alice’s and Bob’ s k-th pair is denoted by

ρ(k)AB = Tr

( 6k)AB(ρAB) and Tr

( 6k)AB indicates the tracing (aver-

aging) procedure over all the qubit pairs except the k-thone. Accordingly, the average estimated disturbance (4)reads [24]

D =1

2

1∑

b=0

Tr(j1)A,B

{

[

(HbA ⊗Hb

B) P (HbA ⊗Hb

B)]

j1ρ(j1)AB

}

(6)

where Tr(j1)A,B denotes the tracing procedure over the j1-

th qubit pair of Alice and Bob. So, an arbitrary eaves-dropping attack which gives rise to a particular reduced

single-pair state ρ(j1)AB is indistinguishable, from the point


of view of the estimated average disturbance, from a cor-responding collective (individual) attack which results in

a decorrelated 2n-pair state of the form⊗2n

j=1 ρ(j)AB.

Our purpose now is to estimate the threshold distur-bance Dth such that for any estimated D < Dth Alice andBob can be confident that their correlations cannot haveemerged from a separable state. To this end let us explorethe symmetries underlying the observable under consid-eration i.e., the estimated average QBER. According toEqs. (6) and (5), D is invariant under the transformations

(l, b) → (l ⊕2 1, b),

(l, b) → (l, b ⊕2 1), (7)

where ⊕2 denotes addition modulo 2. This invariance im-

plies that the reduced density operators ρ(j1)AB and

ρ(j1)AB =

1

8

∑

g∈G1,h∈G2

U(h)U(g)ρ(j1)AB U(g)†U(h)† (8)

give rise to the same observed value of the QBER [24].The unitary and hermitian operators appearing in Eq.(8) form unitary representations of two discrete Abeliangroups G1 = {g1, g2, g3, g4} and G2 = {h1, h2}, and aregiven by

U(g1) = XA ⊗XB, U(g2) = ZA ⊗ZB,

U(g3) = −YA ⊗ YB, U(g4) = 1A ⊗ 1B, (9)

and

U(h1) = HA ⊗HB, U(h2) = 1A ⊗ 1B. (10)

Moreover, invariance of the average QBER under the sym-metry transformations of Eq. (7) induces invariance of

ρ(j1)AB under both discrete Abelian groups G1 and G2.

The key point is now that ρ(j1)AB and ρ

(j1)AB differ by local

unitary operations and convex summation. Thus the den-

sity operator ρ(j1)AB is entangled if ρ

(j1)AB is entangled. Our

main problem of determining the values of the QBER forwhich Alice and Bob share provable entanglement can bereduced therefore to the estimation of the values of D forwhich the most general two-qubit state ρ

(j1)AB (which is in-

variant under both Abelian discrete groups) is entangled.The hermitian operators U(g1) and U(g2) of the group

G1 constitute already a complete set of commuting oper-ators in the Hilbert space of two qubits and the corre-sponding eigenstates are the Bell states [32]. Thus, themost general two-qubit state which is invariant under theAbelian group G1 is given by

ρ(j1)AB = λ00 |Φ+〉〈Φ+| + λ10 |Φ−〉〈Φ−|

+ λ01 |Ψ+〉〈Ψ+| + λ11 |Ψ−〉〈Ψ−| , (11)

with λαβ ≥ 0 and

∑

α,β∈{0,1}λαβ = 1, (12)

while additional invariance under the discrete group G2

implies that

λ01 = λ10. (13)

Thus, the state (11) with the constraint (13) is the mostgeneral two-qubit state invariant under the Abelian groupsG1 and G2.

For later convenience let us rewrite the state ρ(j1)AB in

the computational basis, i.e.

ρ(j1)AB =

1

2

D 0 0 G0 F H 00 H F 0G 0 0 D

, (14)

with F = 1 − D denoting the so-called fidelity, i.e. thetotal probability for Bob to receive the submitted signalundisturbed. Furthermore, the remaining parameters aregiven by

D = λ00 + λ10, F = λ01 + λ11,

G = λ00 − λ10, H = λ01 − λ11, (15)

with D denoting the disturbance (QBER). In general, theparameters G and H can be expressed in terms of theoverlaps between different states of Eve’s probe and arethus intimately connected to the eavesdropping strategy.The key point for the subsequent discussion, is that for theestimation of the threshold disturbance it is not requiredto know the explicit form of the “macroscopic” parametersG and H and their detailed dependences on Eve’s attack.More precisely, using Eqs. (15), the constraints (12) and(13) read

F + D = 1 (16)

F + H = D − G (17)

respectively, while non-negativity of the eigenvalues λαβ

implies

D ≥ |G|, (18)

F ≥ |H |. (19)

The possible values of the estimated disturbance for

which ρ(j1)AB is entangled can be estimated by means of the

fully-entangled fraction (see [24]) or the Peres-Horodecki

criterion [36]. Using the latter, we have that ρ(j1)AB is sepa-

rable if and only if the inequalities

D ≥ |H |, (20)

F ≥ |G|, (21)

are satisfied. As depicted in Fig. 1, these last inequalitiescombined with inequalities (18), (19) and Eqs. (16), (17)

imply that the symmetrized state ρ(j1)AB is entangled if and


D1.0

0 0.25−0.5 −0.25−0.75−1.0 1.00.750.5

0.75

0.25

H

b

a

d

b

a

c

Fig. 1. BB84 protocol: Region of the independent parameters

D(QBER) and H for which the two-qubit state ρ(j1)AB is separa-

ble (shaded region). The various constraints that these param-eters satisfy are indicated by straight dotted lines. Specifically,(a) Eq. (20); (b) Eq. (19); (c) Eqs. (18) and (16), (17); (d) Eqs.(21) and (16), (17). The protocol operates in the region whichis defined by the solid lines.

anly if the estimated QBER is below 1/4 or above 3/4.

Given, however, that the states ρ(j1)AB and ρ

(j1)AB are related

via local operations and convex summation, the original

single-pair state ρ(j1)AB must also be entangled in the same

regime of parameters. Moreover, the probability that theQBER has been underestimated during the verificationtest is exponentially small in nc (see Section 2.3 and re-lated references). Hence we may conclude that, wheneverAlice and Bob detect an average QBER below 1/4 (orabove 3/4), they can be confident that they share en-tanglement with probability exponentially close to one(∼ 1 − 2−nc), and their correlations cannot have origi-nated from a separable state. The necessary preconditionfor secret-key distillation is therefore fulfilled for estimateddisturbances within these intervals.

On the contrary, for 1/4 ≤ D ≤ 3/4 we have that

ρ(j1)AB is separable. Of course, this does not necessarily im-

ply that ρ(j1)AB is also separable. But it does indicate that

in this regime of parameters, Alice’s and Bob’s correla-tions within the framework of the BB84 protocol can be

explained by a separable state, namely by ρ(j1)AB . So, ac-

cording to [22,23], this implies that Alice and Bob can-not extract a secret key and must abort the protocol.From now on we focus on the regime of practical interest(F ≥ D), where the lowest possible threshold disturbance(Dth = 1/4) is attained for G = H = −1/4.

3.2 Six-state protocol

The threshold disturbances for the six-state protocol canbe determined in the same way. In this case, however, allthree bases are used with the same probabilities and thus

the average estimated disturbance (QBER) reads

D =1

3

2∑

b=0

Tr(j1)A,B

{

[

(T bA ⊗ T b

B) P (T b†A ⊗ T b†

B )]

j1ρ(j1)AB

}

(22)

where the unitary (but not hermitian) transformation Tis defined in Eq. (3).

In analogy to the BB84 protocol, exploiting the sym-metries underlying Eq. (22) one finds that D is invariantunder the transformations

(l, b) → (l ⊕2 1, b),

(l, b) → (l, b ⊕3 1),

(l, b) → (l, b ⊕3 2), (23)

with ⊕3 denoting addition modulo 3. Furthermore, theinvariance of D under the transformations (23) implies

that the reduced density operators ρ(j1)AB and

ρ(j1)AB =

1

12

∑

g∈G1,t∈G3

U(t)U(g)ρ(j1)AB U(g)†U(t)† (24)

yield the same average QBER. This latter state is invari-ant under the discrete Abelian groups G1 [with elementsgiven in Eq. (9)] and G3 = {t1, t2, t3} with elements

U(t1) = TA ⊗ TB,

U(t2) = T 2A ⊗ T 2

B ,

U(t3) = 1A ⊗ 1B. (25)

The most general two-qubit state invariant under the Abeliangroups G1 and G3 is now of the form (11), with

λ00 = λ10 = λ01. (26)

Thus, in the computational basis ρ(j1)AB is given by (14)

with

D = 2λ00, F = λ11 + λ00,

G = 0, H = λ00 − λ11. (27)

Accordingly, condition (17) now reads

F + H = D, (28)

while non-negativity of the eigenvalues λαβ implies in-equality (19) only. Finally, applying the Peres-Horodecki

criterion one finds that ρ(j1)AB is separable if and only if

inequality (20) is satisfied.As a consequence of Eqs. (16), (28) and G = 0, there is

only one macroscopic independent parameter in our prob-lem, say H , while combining inequalities (19) and (20)with Eqs. (16) and (28) we obtain that the reduced den-

sity operator ρ(j1)AB is separable iff 1/3 ≤ D ≤ 2/3 (Fig.

2). That is, no matter how powerful the eavesdropper is,Alice and Bob share always provable entanglement for es-timated disturbances smaller than 1/3. The lowest disen-tanglement border for the six-state scheme (Dth = 1/3)


D1.0

0−0.5 −0.25−0.75−1.0 0.25 0.5 0.75 1.0

1/3

H

2/3

b b

a

c

a

Fig. 2. Six-state protocol: Region of the parameters

D(QBER) and H for which the two-qubit state ρ(j1)AB is separa-

ble (thick solid line). The various constraints that these param-eters satisfy are indicated by straight dotted lines. Specifically,(a) Eq. (20); (b) Eq. (19); (c) Eqs. (16) and (28). The protocoloperates along the solid lines.

is attained for H = −1/3. It is also worth noting that, incontrast to BB84, in the six-state protocol there is onlyone disentanglement threshold since for D > 2/3 the pro-tocol is not valid.

As expected, the bound for the six-state protocol ishigher than the one for the BB84 protocol. In fact, as aconsequence of the high symmetry of the six-state proto-col, the disentanglement area of the BB84 scheme (shadedregion in Fig. 1) shrinks to a line in Fig. 2 (thick line). Aswill be seen later on, this “degeneracy” affects significantlythe options of a potential eavesdropper in the frameworkof the six-state protocol, increasing thus the robustness ofthe protocol.

4 The price of disentanglement

In QKD issues, Eve’s attack is usually optimized by maxi-mizing her Shannon information (or the probability of herguessing correctly Alice’s bit-string) conditioned on a fixeddisturbance. Given, however, that the unconditional secu-rity of the BB84 and six-state cryptographic schemes isbeyond doubt, Eve might be willing to reduce the robust-ness of the protocols to the lowest possible level while si-multaneously maximizing any of her properties [19]. Thus,what remains to be clarified now is the cost at which Evecan saturate the lowest disentanglement threshold Dth, interms of her information gain and probability of correctguessing. To this end, we have to consider in detail theeavesdropping attack on the BB84 and the six-state pro-tocols.

Such an investigation, however, is practically feasibleonly in the context of attacks on a few qubits. As the num-ber of attacked qubit-pairs increases the complete treat-ment of the problem becomes intractable due to the largenumber of independent parameters involved. In this sec-tion we will focus on incoherent and two-qubit coherent at-tacks. The disentanglement of Alice and Bob in the frame-work of incoherent attacks has been extensively studied in

the literature [17,18,19,20,21]. In most of these studies,however, Eve’s attack is by default optimized to provideher with the maximal Shannon information. On the con-trary, here we give Eve all the flexibility to adjust herparameters in order to break entanglement between Aliceand Bob and simultaneously maximize her properties. Fi-nally, for the two QKD protocols under consideration, weare not aware of any related previous work on disentan-glement in the context of coherent attacks.

4.1 BB84 protocol

4.1.1 Incoherent attacks

Incoherent attacks belong to the class of the so-calledsingle-qubit or individual attacks, where Eve manipulateseach transmitted qubit individually. To this end, she at-taches a single probe (initially prepared in e.g. state |0E〉)to each transmitted qubit and lets the combined systemundergo a unitary transformation of the form [13,37,38]

|0B〉 ⊗ |0E〉 →√

F |0B〉 ⊗ |φ0〉 +√

D |1B〉 ⊗ |θ0〉,|1B〉 ⊗ |0E〉 →

√F |1B〉 ⊗ |φ1〉 +

√D |0B〉 ⊗ |θ1〉,(29)

with F and D being the fidelity and disturbance respec-tively, while |φj〉 and |θj〉 are normalized states of Eve’sprobe when Bob receives the transmitted qubit undis-turbed (probability F ) and disturbed (probability D), re-spectively. Applying unitarity and symmetry conditionson this transformation one finds that the states |φj〉 areorthogonal to the states |θj〉 (j ∈ {0, 1}), while the over-laps 〈φ0|φ1〉 and 〈θ0|θ1〉 are real-valued [13,37,38]. Thus,an incoherent attack can be described by the four pa-rameters satisfying Eqs. (16), (17) (18) and (19) withH = −F 〈φ0|φ1〉 and G = −D〈θ0|θ1〉. In other words,there are only two independent parameters and by fixingone of them, say D, one is able to determine any prop-erty of the attack. In Figs. 3, we present Eve’s optimalinformation gain and probability of success in guessingthe transmitted qubit correctly as functions of the distur-bance (solid line). The optimization is performed in theusual way, i.e. for a fixed disturbance D, Eve’s mutual in-formation with Alice is maximized [13,38]. It is also knownthat such an optimized strategy disentangles the qubits ofAlice and Bob at D(1) ≈ 30% (vertical dotted line)[17],which is well above Dth = 25%. Thus, the natural ques-tion arises is whether, under the assumption of incoherentattacks, Eve can saturate the lowest possible disentangle-ment border Dth and if yes, at which cost of informationloss.

To answer this question, for a fixed disturbance D, wecalculated numerically all the possible values of G and Hwhich are consistent with the constraints (16)-(19) andwhich yield a separable state of Alice and Bob. In general,at any given disturbance there is more than one combina-tion of values of G and H which fulfill all these constraints.


0.8

0.85

0.9

0.95

1

Pro

babi

lity

0.225 0.25 0.275 0.3 0.325

D

0.55

0.6

0.65

0.7

0.75

0.8

Info

rmat

ion

(bits

)

(a)

(b)

Fig. 3. BB84 protocol — Incoherent attacks : (a) Eve’s proba-bility of guessing correctly the transmitted message as a func-tion of disturbance D. The solid line corresponds to an attackthat maximizes Eve’s probability of success in guessing, whileeach square denotes the corresponding probability for an attackwhich in addition, disentangles Alice and Bob at the specificdisturbance. (b) As in (a) but for Eve’s information gain. Thevertical dotted lines correspond to the solid curves, and denotethe disturbance D(1) ≈ 30% up to which Alice and Bob sharean entangled state. The vertical dashed lines denote the low-est disentanglement threshold disturbance Dth = 1/4 whichcan be attained in the context of general coherent attacks andintercept-resend strategies.

For each of these combinations, we calculated Eve’s infor-mation gain and her probability of correct guessing [13,38]. The results presented as squares in Figs. 3, refer tothose combinations of parameters which, not only disen-tangle the two honest parties for a particular disturbanceD, but which simultaneously maximize Eve’s property aswell. Clearly, for disturbances close to Dth, the two strate-gies are not equivalent since they yield substantially dif-ferent results. In other words, an optimal incoherent at-tack that maximizes Eve’s information gain is certainlynot the one which achieves the lowest possible robustnessbound. Furthermore, our simulations show that saturationof Dth = 1/4 is feasible at the cost of ∼ 4% less informa-tion gain of Eve or equivalently at the cost of ∼ 7.44%less probability of success in guessing.

4.1.2 Two-qubit coherent attacks

In a two-qubit coherent attack, Eve attaches one probeto two of the qubits sent by Alice. Let |mB〉 with m ∈{0, 1, 2, 3}, be the message sent from Alice to Bob in bi-nary notation. The combined system then undergoes a

unitary transformation of the form [38]

|0B〉|1B〉|2B〉|3B〉

⊗ |0E〉 → E ⊗

|0B〉|1B〉|2B〉|3B〉

, (30)

where E is a 4×4 matrix which contains normalized statesin the Hilbert space of Eve’s probe

E ≡

√α |φ0〉

√β |θ0〉

√β |ω0〉

√γ |χ0〉√

β |θ1〉√

α |φ1〉√

γ |χ1〉√

β |ω1〉√β |ω2〉

√γ |χ2〉

√α |φ2〉

√β |θ2〉√

γ |χ3〉√

β |ω3〉√

β |θ3〉√

α |φ3〉

.

The states φj , θj , ωj and χj denote Eve’s probe statesin cases in which Bob receives all the transmitted qubitsundisturbed, one qubit disturbed or both transmitted qubitsdisturbed.

Applying unitarity and symmetry conditions on Eq.(30), the problem can be formulated in terms of the fol-lowing four mutually orthogonal subspaces [38]

Sφ = {φ0, φ1, φ2, φ3}, Sχ = {χ0, χ1, χ2, χ3},Sθ = {θ0, θ1, θ2, θ3}, Sω = {ω0, ω1, ω2, ω3},

while all the overlaps between the various states withineach of these subspaces are real-valued. Thus, Eve is ableto infer with certainty whether Bob has received bothqubits undisturbed (Sφ), one qubit disturbed (Sθ,ω) orboth qubits disturbed (Sχ). These events occur with prob-abilities α, 2β and γ, respectively. It can be shown thata general coherent two-qubit attack can be described interms of five independent parameters [38]. The averagereduced density matrix for Alice and Bob is then of theform (14), with F = α+β, D = β +γ, H = −(α〈φ0|φ1〉+β〈θ0|θ2〉), G = −(γ〈χ0|χ1〉+β〈θ0|θ1〉), satisfying the con-straints (16), (17), (18) and (19).

Compared to an incoherent attack, a two-qubit coher-ent attack can improve the probability that Eve guessescorrectly the whole two-bit message sent by Alice to Bob[38]. Eve’s optimal probability of success in guessing isplotted in Fig. 4 (solid line), as a function of disturbanceD. This curve has been obtained by maximizing Eve’sprobability of success in guessing conditioned on a fixeddisturbance D. For such an optimal attack, we found nu-merically that Alice and Bob share entanglement up todisturbances of the order of D(2) ≈ 28% (dotted verticalline). This is in contrast to the bound D(1) ≈ 30% at-tained in an optimal incoherent attack. Furthermore, wealso found that Eve is able to saturate the lowest possi-ble robustness bound (dashed vertical line), at the cost of∼ 3% less probability of success in guessing. This loss ofEve’s probability in guessing is substantially smaller thanthe corresponding loss for incoherent attacks (∼ 7.44%).Thus, it could be argued that a two-qubit coherent attackwhich is optimized with respect to the probability of guess-ing only, is very close to an optimal coherent attack whichalso disentangles Alice and Bob at Dth = 1/4. The reasonis basically that in a two-qubit coherent attack each one


0.225 0.25 0.275 0.3 0.325

D

0.8

0.85

0.9

0.95

1

Pro

babi

lity

Fig. 4. BB84 protocol — Two-qubit coherent attacks : Eve’sprobability of guessing correctly a two-bit transmitted messageas a function of disturbance D. The solid line corresponds to anattack that maximizes Eve’s probability of success in guessingonly, while each square denotes the corresponding probabilityfor an attack that, in addition, disentangles Alice and Bob atthe specified disturbance. The vertical dotted line correspondsto the solid curve, and denotes the disturbance D(2) ≈ 28% upto which Alice and Bob share an entangled state. The verticaldashed line denotes the lowest possible disentanglement thresh-old disturbance Dth = 1/4 that can be attained in the contextof general coherent attacks and intercept-resend strategies.

of the two independent macroscopic parameters G and Hcan be expressed in terms of two different overlaps whereasin incoherent attacks the corresponding dependences in-volve a single overlap only. In a coherent attack Eve hastherefore more possibilities enabling her to push the dis-entanglement border towards the lowest possible value,while simultaneously maximizing her probability of guess-ing correctly the transmitted message.

4.2 Six-state protocol

So far, we have considered incoherent and coherent at-tacks in the context of the BB84 protocol where Eve’s at-tack is determined by a set of two macroscopic parameters(G, H). These two independent parameters give a consid-erable flexibility to Eve since at a given disturbance thereexists a variety of physically allowed attacks. This fact isalso reflected in Fig. 1 where, for a specific disturbance,Alice and Bob can be disentangled for different values ofH (and therefore of G).

In the highly symmetric six-state protocol, however,the situation is much simpler. In fact, the high symme-try of the protocol reduces significantly the options of aneavesdropper since there is only one independent macro-scopic parameter in our problem, namely H . Moreover,the analysis of the attacks under consideration becomesrather straightforward [39]. In particular, for incoherentattacks G = −D〈θ0|θ1〉 = 0 which indicates that Eve has

full information about the disturbed qubits received byBob. However, as depicted in Fig. 2, at a given value ofD there is a unique value of H consistent with the lawsof quantum mechanics. It is determined by Eqs. (16) and(28) [line (c) in Fig. 2]. Similarly, for the two qubit coher-ent attack we have 〈χ0|χ1〉 = 〈θ0|θ1〉 = 0 and thus G = 0,whereas H = −(α〈φ0|φ1〉+β〈θ0|θ2〉) = −(α−γ) = 2D−1.As a result, for both incoherent and two-qubit coherent at-tacks, the physically allowed attack is the one that max-imizes Eve’s probability of guessing and simultaneouslydisentangles Alice and Bob at a given disturbance. It issufficient for Eve therefore to optimize her attack withrespect to her probability of correct guessing in order todisentangle Alice and Bob at the lowest possible distur-bance.

5 Entanglement and intrinsic information

So far, we have discussed for both the four- and six-stateprotocols the maximal disturbance up to which Alice andBob share entanglement. Clearly, this bound indicates thatin principle secret-key generation is feasible by means ofa quantum purification protocol. In this section we showthat, at least in the context of incoherent attacks, a two-way classical protocol, the so-called advantage distilla-tion protocol, exists which can tolerate precisely the sameamount of disturbance as a quantum purification protocol.

To this end, we adopt Maurer’s model for classicalkey agreement by public discussion from common infor-mation [3]. Briefly, in this classical scenario, Alice, Boband Eve, have access to independent realizations of ran-dom variables X, Y and Z, respectively, jointly distributedaccording to PXY Z . Furthermore, the two honest partiesare connected by a noiseless and authentic (but otherwiseinsecure) channel. In the context of this model, Maurerand Wolf have shown that a useful upper bound for thesecret-key rate S(X ; Y ||Z) is the so called intrinsic infor-mation I(X ; Y ↓ Z) which is defined as

I(X ; Y ↓ Z) = minZ→Z

{I(X : Y |Z)},

where I(X : Y |Z) is the mutual information between thevariables X and Y conditioned on Eve’s variable Z, whilethe minimization runs over all the possible maps Z → Z[40].

For our purposes, we can link this classical scenarioto a quantum one. More precisely, the joint distributionPXY Z can be thought of as arising from measurementsperformed on a quantum state |ΨABE〉 shared betweenAlice, Bob and Eve. We have, however, to focus on inco-herent attacks where Eve interacts individually with eachqubit and performs any measurements before reconcilia-tion. Thus, at the end of such an attack the three par-ties share independent realizations of the random vari-ables X , Y and Z. Accordingly, the resulting mixed stateafter tracing out Eve’s degrees of freedom is of the form(14) where H = −F 〈φ0|φ1〉 and G = −D〈θ0|θ1〉. It turnsout [18] that the random variables X and Y are symmet-ric bits whose probability of being different is given by


Prob[X 6= Y ] = D whereas Eve’s random variable consistsof two bits Z1 and Z2. The first bit Z1 = X ⊕2 Z showswhether Bob has received the transmitted qubit disturbed(Z1 = 1) or undisturbed (Z1 = 0). The probability thatthe second bit Z2 indicates correctly the value of the bitY is given by

Prob[Z2 = Y ] = δ =1 +

√

1 − 〈φ0|φ1〉22

. (31)

As has been shown by Gisin and Wolf [18], for the sce-nario under consideration secret key agreement is alwayspossible iff the following condition holds

D

1 − D< 2

√

(1 − δ)δ. (32)

More precisely, one can show that if the above condition isnot satisfied, the intrinsic information vanishes whereas,in any other case there exists a classical protocol that canprovide Alice and Bob with identical keys about which Evehas negligible information. Such a protocol, for instanceis the so-called advantage distillation protocol which isdescribed in detail elsewhere [3].

In our case now, considering that Eve has adjusted theparameters in her attack to disentangle Alice and Bob atthe lowest possible disturbance, Eq. (31) yields for the twoprotocols

δ =

{

3+2√

26 BB84 protocol

2+√

34 six-state protocol.

Using these values of δ in Eq. (32) one then obtains boundsthat are precisely the same with the threshold distur-bances for provable entanglement we derived in Section3. In other words we have shown that, as long as Aliceand Bob are entangled, a classical advantage distillationprotocol is capable of providing them with a secret key,provided Eve restricts herself to individual attacks only(see also [20,21] for similar results).

This result is a manifestation of the link between quan-tum and secret correlations in both four- and six-stateQKD protocols [22,23]. For the time being, the validity ofthis equivalence between classical and quantum distilla-tion protocols is restricted to individual attacks only. In-vestigations of tomographic QKD protocols have shown,however, that such an equivalence is invalid for coherentattacks [41].

6 Concluding remarks

We have discussed provable entanglement in the frame-work of the BB84 and the six-state QKD protocols underthe assumption of coherent(joint) attacks. In particular,we have shown that the threshold disturbances for prov-able entanglement are 1/4 and 1/3 for the four- and six-state QKD protocols, respectively. Perhaps surprisingly,these borders coincide with the disentanglement bordersassociated with the standard intercept-resend strategy [42,

43]. Here we have shown, however, that even the mostpowerful eavesdropping attacks (which are only limitedby the fundamental laws of quantum theory), are not ableto push these disentanglement borders to lower distur-bances. In other words, for the two protocols under con-sideration, any eavesdropping attack which disentanglesAlice and Bob gives rise to QBERs above 1/4 (BB84)and 1/3 (six-state). Hence, for estimated disturbances be-low these borders the two honest parties can be confident(with probability exponentially close to one) that theirquantum correlations cannot be described in the contextof separable states and can be explored therefore for theextraction of a secret key.

In particular, for the entanglement-based versions ofthe protocols such a secure key can be obtained after ap-plying an EPP which purifies the qubit pairs shared be-tween Alice and Bob. Nevertheless, for the prepare-and-measure forms of the protocols the situation is more in-volved. To the best of our knowledge, the highest tolerableerror rates that have been reported so far in the contextof the prepare-and-measure BB84 and six-state schemesare close to 20% and 27%, respectively [4,5]. These bestrecords are well below the corresponding threshold distur-bances we obtained in this work. Thus, an interesting openproblem is the development of prepare-and-measure pro-tocols which bridge the remaining gap and are capable ofgenerating a provably secure key up to 25% and 33.3%bit error rates. In view of the fundamental role of en-tanglement in secret key distribution such a developmentappears to be plausible. For this purpose, however, con-struction of new appropriate EPPs with two-way classicalcommunication, which are consistent with the prepare-and-measure schemes, is of vital importance.

Furthermore, we have investigated the cost of infor-mation loss at which an eavesdropper can saturate thesebounds in the context of symmetric incoherent and two-qubit coherent attacks. We have found that for the highlysymmetric six-state scheme, there is always a unique eaves-dropping attack which disentangles Alice and Bob at afixed disturbance (above 1/3) and simultaneously maxi-mizes Eve’s information gain and/or probability of guess-ing. For the BB84 protocol, however, the situation is sub-stantially different. Specifically, an attack which maxi-mizes any of Eve’s properties (information gain or proba-bility of success in guessing) is not necessarily also the onethat yields the lowest possible robustness bound. In fact,if Eve aims at reducing the robustness of the BB84 proto-col she has to accept less information gain and probabil-ity of correct guessing. Nevertheless, our simulations showthat for a two-qubit coherent attack this cost is substan-tially smaller than the cost for an incoherent attack. Weconjecture therefore that, for coherent attacks on a largernumber of qubits, the strategy that maximizes Eve’s prob-ability of success in guessing, is also the one that definesthe lowest possible disentanglement threshold.

In closing, it should be stressed that the bounds wehave obtained throughout this work depend on the post-processing that Alice and Bob apply. In particular, theyrely on the complete omission of any polarization data


from the raw key that involve different bases for Aliceand Bob as well as on the individual manipulation of eachpair of (qu)bits during the post-processing. In other wordsonly one observable is estimated, namely the disturbanceor QBER. If some of these conditions are changed, also thethreshold disturbances may change. In this context it wasdemonstrated recently that with the help of entanglementwitnesses which are constructed from the data of the rawkey, the detection of quantum correlations between Aliceand Bob is feasible even for QBERs above the bounds wehave obtained here [22].

7 Acknowledgments

Stimulating discussions with Nicolas Gisin and NorbertLutkenhaus are gratefully acknowledged. This work is sup-ported by the EU within the IP SECOQC.

References

1. G. Brassard and L. Salvail (1994), in Advances in Cryp-

tology — EUROCRYPT ’93 Proceedings, Lecture Notes

in Computer Science, edited by T. Helleseth (SpringerVerlag, New York) 765, p. 410

2. C.H. Bennett, G. Brassard, C. Crepeau and U.M. Maurer,IEEE Trans. Inf. Theory 41, 1915 (1995)

3. U. Maurer, IEEE Trans. Inf. Theory 39, 733 (1993)4. D. Gottesman and H.K. Lo, IEEE Trans. Inf. Theory 49,

457 (2003)5. H.F. Chau, Phys. Rev. A 66, 060302 (2002)6. I. Csiszar and J. Korner, IEEE Trans. Inf. Theory IT-24,

339 (1978)7. G. Brassard and L. Salvail, Lect. Notes Comput. Sci. 765,

410 (1994)8. D. Deutsch, A. Ekert, R. Jozsa, C. Macchiavello, S.

Popescu and A. Sanpera, Phys. Rev. Lett. 77, 2818(1996)

9. C.H. Bennett, D.P. DiVincenzo, J.A. Smolin and W.K.Wooters, Phys. Rev. A 54, 3824 (1996)

10. C.H. Bennett, G. Brassard, S. Popescu, B. Schumacher,J.A. Smolin and W.K. Wooters, Phys. Rev. Lett. 76, 722(1996)

11. C. H. Bennett and G. Brassard, in Proceedings IEEE In-

ternational Conference on Computers, Systems and Sig-

nal Processing, Bangalore, 1984, (New York:IEEE), p.175

12. D. Bruß, Phys. Rev. Lett. 81, 3018 (1998)13. C.A. Fuchs, N. Gisin, R.B. Griffiths, C.S. Niu and A.

Peres, Phys. Rev. A 56, 1163 (1997)14. D. Bruß and C. Macchiavello, Phys. Rev. Lett. 88, 127901

(2002)15. N.J. Cerf, M. Bourennane, A. Karlsson and N. Gisin,

Phys. Rev. Lett. 88, 127902 (2002)16. M. Bourennane, A. Karlsson, G. Bjork, N. Gisin and N.J.

Cerf, J. Phys. A 35, 10065 (2002)17. N. Gisin and S. Wolf Phys. Rev. Lett. 83, 4200 (1999)18. N. Gisin and S. Wolf, in Proceedings CRYPTO 2000 Lec-

ture Notes in Computer Science, (Springer Verlag, Hei-delberg), 1880, 482

19. A. Acın, N. Gisin and V. Scarani, Quant. Info. Comp. 3,563 (2003)

20. A. Acın, L. Masanes and N. Gisin, Phys. Rev. Lett. 91,167901 (2003)

21. D. Bruß et. al., Phys. Rev. Lett. 91, 097901 (2003)22. M. Curty, M. Lewenstein and N. Lutkenhaus, Phys. Rev.

Lett. 92, 217903 (2003); M. Curty, O. Guhne, M. Lewen-stein and N. Lutkenhaus, Phys. Rev. A 71, 022306 (2005)

23. A. Acın and N. Gisin, Phys. Rev. Lett. 94, 020501 (2005)24. G.M. Nikolopoulos and G. Alber, Phys. Rev. A 72,

032320 (2005); see also quant-ph/050722125. C. H. Bennett, G. Brassard and N.D. Mermin, Phys. Rev.

Lett. 68, 557 (1992)26. H.K. Lo and H.F. Chau, Science 283, 2050 (1999)27. P.W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000)28. H.K. Lo, Quant. Info. Comput. 2, 81 (2001)29. H.K. Lo, H.F. Chau and M. Ardehali, J. Cryptology 18,

133 (2005); see also quant-ph/001105630. D. Gottesman and J. Preskill, Phys. Rev. A 63, 022309

(2001)31. H.K. Lo, J. Phys. A. 34, 6957 (2001)32. The Bell states, |Φ±〉 ≡ 1√

2( |0A0B〉 ± |1A1B〉) and

|Ψ±〉 ≡ 1√2( |0A1B〉± |1A0B〉), form an orthonormal basis

in the two-qubit Hilbert space33. In general, a logarithmic scaling of the size of the random

sample with the length of Alice’s and Bob’s key, seems tobe sufficient for security issues. See Ref. [29] for a rigorousproof

34. S.K. Thompson, Sampling (John Wiley & Sons, NewYork, 2002); W.G. Cochran, Sampling Techniques (JohnWiley & Sons, New York, 1997)

35. Note that in the absence of noise and eavesdropping eachpair of qubits shared between Alice and Bob is in theBell state |Ψ−〉 [32]. Thus, in this ideal scenario, Aliceand Bob obtain perfectly anticorrelated measurement re-sults whenever they perform their measurements alongthe same basis

36. A. Peres, Phys. Rev. Lett. 77, 1413 (1996); M. Horodecki,P. Horodecki and R. Horodecki, Phys. Lett. A 223, 1(1996)

37. N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev.Mod. Phys. 74, 145 (2002)

38. I. Cirac and N. Gisin, Phys. Lett. A 229, 1 (1997)39. H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A

59, 4238 (1999)40. U. Maurer and S. Wolf, IEEE Trans. Inf. Theory 45, 499

(1999)41. D. Kaszlikowski et al., quant-ph/031217242. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail and J.

Smolin, J. Cryptology 5, 3 (1992)43. A. Ekert and B. Huttner, J. Mod. Opt. 41, 2455 (1994)

http://arXiv.org/abs/quant-ph/0507221



provable entanglement and information cost for qubit-based quantum key-distribution protocols

Documents